Web Application Firewall (WAF) is a security service that protects your website and app services. WAF identifies malicious web business traffic, scrubs and filters the business traffic, and then forwards normal traffic to your server. This prevents your web server from being intruded and ensures data and business security.


  • Protect web applications against attacks.
  • Mitigate HTTP flood attacks and filter out malicious bot traffic to ensure the performance of your web server.
  • Provide solutions for business risk control to address security risks, such as abuse of business APIs.
  • Support transmission of back-to-origin traffic over HTTPS and HTTP to reduce workloads of the origin server.
  • Provide precise access control for HTTP and HTTPS traffic.
  • Support real-time storage, analysis, and custom reporting of full logs over a long period of time. WAF can synchronize online logs with third-party platforms to help you meet compliance requirements for classified protection.

Use of WAF

After you purchase a WAF instance, add the domain name of your website to WAF. Then, resolve the domain name to the CNAME provided by WAF and configure the IP address of your origin server to enable WAF protection. After you enable WAF protection, all Internet traffic to your website is redirected to WAF. WAF then detects and filters malicious traffic and forwards normal traffic to the IP address of your origin server. This ensures security, stability, and availability of your origin server. For more information, see Add domain names.


WAF supports the subscription billing method. You can purchase a WAF instance with a subscription period of one month, three months, six months, or one year. For more information, see Billing methods.